CyberSec4Europe’s report Security Requirements and Risk Conceptualization compiles the results of our research on the intersection of security and usability. It explores several usability solutions that are motivated by the need to empower users to make sensible security choices. The research also explores methods on how to advise or convince users on different security solutions such as authentication methods or privacy settings, and how to make visible the underlying structures such as security policies or cryptographic protocols.

We organized the research results under three main themes: data privacy and protection, solutions for fulfilling security requirements, and analysing and illuminating security for the benefit of users.

First, processing of personal data is a necessary step in many modern services. From the point of view of businesses, it is important to comply with regulations, e.g., the General Data Protection Regulation (GDPR).  From the point of view of the citizen, it is important to have knowledge and options on the ways your personal data is used.

The report describes three studies that discuss the intersection of privacy and usability. From the point of view of the end user, we explored the way security and privacy properties of products affect its usability and user adoption of the product. From the point of view of the service provider, we present a way for facilitating one of the GDPR requirements, the Data Protection Impact Assessment (DPIA), in a usable manner. Finally, combining the two perspectives, we reported on a study in which the service provider aims to predict suitable privacy settings for the users, resulting in a smooth user experience when the prediction is successful, while allowing the users to modify the settings if they so choose.

For second theme of the report, we highlight different kinds of tools or methods for eliciting and fulfilling security requirements. For example, we show how security games, which are usually developed for training purposes, can be used to elicit security requirements and improve security policies. From research into privacy notifications, we were able to infer a set of design guidelines for Transparency Enhancing Technologies (TETs). Furthermore, we proposed a framework for adaptive authentication that can take into account users’ preferences and privacy requirements.

The third theme is about enhancing the human understanding of security solutions. We present ways to analyse and model user behaviour and the usability of products or services, and frameworks for enhancing usability of security solutions.

For instance, we propose a generic method for systematically analysing the usability of security mechanisms in order to better assess the trade-offs between security and usability. Additionally, research on a tool for configuring multi-factor authentication discusses similar trade-offs. Next, we discuss the usability of authentication, one of the most common experiences a user can have in a digital landscape. Authentication is also applied as a use case for an expedition into human understandable cryptography. Lastly, we analysed access control policies in complex, heterogeneous systems using formal methods, and used automation and visualization to enhance the usability of the analysis results.

In conclusion, ease of use is an important design consideration for security solutions. One would be wise to try, for example, modelling their system to ensure its usability at an early stage of development. Games and visualizations are also convenient for making the human user understand abstract cyber security concepts more easily.

Outi-Marja Latvala

VTT, Finland